...to places like bwlyli.net and other search sites. Please help.
Here are 8-step logs as requested:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 5213
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
11/29/2010 2:30:54 AM
mbam-log-2010-11-29 (02-30-54).txt
Scan type: Quick scan
Objects scanned: 135265
Time elapsed: 6 minute(s), 16 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-11-29 02:46:53
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Steven\LOCALS~1\Temp\kxayypod.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
---- EOF - GMER 1.0.15 ----
DDS (Ver_10-11-27.01) - NTFSx86
Run by Steven at 2:48:14.46 on Mon 11/29/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.640 [GMT -8:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Documents and Settings\Steven\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.yahoo.com/
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mPolicies-explorer: NoPopUpsOnBoot = 1 (0x1)
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1290949892671
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli
Hosts: 127.0.0.1 www.spywareinfo.com
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\steven\applic~1\mozilla\firefox\profiles\kn5tze51.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
FF - plugin: c:\documents and settings\steven\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\steven\application data\mozilla\firefox\profiles\kn5tze51.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\steven\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\docume~1\steven\applic~1\mozilla\firefox\profiles\kn5tze51.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: TVU Web Player: firefox@tvunetworks.com - c:\docume~1\steven\applic~1\mozilla\firefox\profiles\kn5tze51.default\extensions\firefox@tvunetworks.com
FF - Extension: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - c:\docume~1\steven\applic~1\mozilla\firefox\profiles\kn5tze51.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-9-17 28552]
R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2010-9-17 3968]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-7-13 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-7-13 74480]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [2010-1-10 206608]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\b.tmp --> c:\windows\system32\B.tmp [?]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-4 14336]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-7-13 7408]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [2010-1-10 206608]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2010-6-27 312152]
=============== Created Last 30 ================
2010-11-29 08:58:26 -------- d-----w- c:\windows\system32\NtmsData
2010-11-29 08:56:41 -------- d-----w- c:\docume~1\steven\applic~1\Avira
2010-11-28 13:02:12 -------- d-----w- c:\windows\system32\CatRoot2
2010-11-28 12:52:47 -------- d-----w- c:\program files\ProcessExplorer
2010-11-28 12:27:19 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-11-28 02:10:38 83968 --sha-r- c:\windows\system32\netstat4.dll
2010-11-26 12:23:39 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-11-26 12:23:38 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-11-26 12:17:02 222080 ------w- c:\windows\system32\MpSigStub.exe
==================== Find3M ====================
2010-09-18 19:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 02:36:50 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-18 02:36:50 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
============= FINISH: 2:49:03.06 ===============
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-11-27.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 7/13/2009 4:50:11 AM
System Uptime: 11/29/2010 2:43:17 AM (0 hours ago)
Motherboard: ASUSTek Computer INC. | | Amberine M
Processor: AMD Sempron(tm) Processor 3400+ | Socket 939 | 1989/200mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 186 GiB total, 111.189 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is Removable
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP1: 11/27/2010 7:16:31 PM - System Checkpoint
RP2: 11/28/2010 12:32:06 AM - Revo Uninstaller's restore point - Microsoft Security Essentials
RP3: 11/28/2010 12:44:24 AM - Revo Uninstaller's restore point - Microsoft Security Essentials
RP4: 11/28/2010 4:27:15 AM - Software Distribution Service 3.0
RP5: 11/28/2010 4:34:20 AM - Software Distribution Service 3.0
RP6: 11/28/2010 4:36:40 AM - Software Distribution Service 3.0
RP7: 11/28/2010 6:20:52 PM - Restore Operation
RP8: 11/29/2010 2:40:23 AM - Revo Uninstaller's restore point - Avira AntiVir Personal - Free Antivirus
RP9: 11/29/2010 2:41:43 AM - Revo Uninstaller's restore point - Avira AntiVir Personal - Free Antivirus
==== Installed Programs ======================
Acez All Audio Converter v3.0
Across Lite
Adobe AIR
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.0
Adobe Shockwave Player 11.5
Advanced SystemCare 3
Apple Application Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Audacity 1.2.6
AVG Anti-Rootkit Free
Canon IJ Network Scan Utility
Canon IJ Network Tool
Canon MP Navigator EX 1.1
Canon MX850 series
Canon MX850 series User Registration
Canon My Printer
Canon Utilities Easy-PhotoPrint EX
Canon Utilities Solution Menu
CCleaner
Chinese (Simplified) Language Support
Combined Community Codec Pack 2008-09-21 16:18
Compatibility Pack for the 2007 Office system
Crossword Compiler 8 Demo
Data Fax SoftModem with SmartCP
EasyCleaner
EclipseCrossword
Eraser 5.8.7
Eusing Free Registry Cleaner
Express Rip
Facebook Plug-In
Free Video Joiner 1.1
GoToMeeting/GoToWebinar 3.0.0.198
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
IObit Security 360
Java Auto Updater
Java(TM) 6 Update 21
JDownloader
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Word Viewer 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works 2000
MixPad Audio Mixer
Mozilla Firefox (3.6.4)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
OpenOffice.org 3.1
Presto! PageManager 7.15.20
QuickTime
Rand McNally Route Planner
Realtek AC'97 Audio
Recipe4win
Recuva (remove only)
Revo Uninstaller 1.90
ScanSoft OmniPage SE 4
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows XP (KB923789)
Slice Audio File Splitter
Smart Math Calculator 2.2
Sophos Anti-Rootkit 1.5.4
SpywareBlaster 4.4
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB978506)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB982632)
VC 9.0 Runtime
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 1.1.4
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
WinPatrol
WinRAR archiver
Yahoo! BrowserPlus 2.9.8
Yahoo! Messenger
==== Event Viewer Messages From Past Week ========
11/29/2010 2:43:41 AM, error: Dhcp [1002] - The IP address lease 192.168.2.2 for the Network Card with network address 0015F2A0150F has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
11/29/2010 12:48:18 AM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .
11/29/2010 12:48:18 AM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\Steven\LOCALS~1\Temp\RarSFX0\redist.dll. Reference error message: The operation completed successfully. .
11/29/2010 12:48:18 AM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
11/28/2010 5:07:55 AM, information: Windows File Protection [64018] - Windows File Protection file scan was cancelled by user interaction, user name is Steven.
11/28/2010 5:07:49 AM, information: Windows File Protection [64016] - Windows File Protection file scan was started.
11/26/2010 7:06:54 PM, error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
==== End Of File ===========================
Here are 8-step logs as requested:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 5213
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
11/29/2010 2:30:54 AM
mbam-log-2010-11-29 (02-30-54).txt
Scan type: Quick scan
Objects scanned: 135265
Time elapsed: 6 minute(s), 16 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-11-29 02:46:53
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Steven\LOCALS~1\Temp\kxayypod.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
---- EOF - GMER 1.0.15 ----
DDS (Ver_10-11-27.01) - NTFSx86
Run by Steven at 2:48:14.46 on Mon 11/29/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.640 [GMT -8:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Documents and Settings\Steven\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.yahoo.com/
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mPolicies-explorer: NoPopUpsOnBoot = 1 (0x1)
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1290949892671
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli
Hosts: 127.0.0.1 www.spywareinfo.com
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\steven\applic~1\mozilla\firefox\profiles\kn5tze51.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
FF - plugin: c:\documents and settings\steven\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\steven\application data\mozilla\firefox\profiles\kn5tze51.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\steven\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\docume~1\steven\applic~1\mozilla\firefox\profiles\kn5tze51.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: TVU Web Player: firefox@tvunetworks.com - c:\docume~1\steven\applic~1\mozilla\firefox\profiles\kn5tze51.default\extensions\firefox@tvunetworks.com
FF - Extension: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - c:\docume~1\steven\applic~1\mozilla\firefox\profiles\kn5tze51.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-9-17 28552]
R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2010-9-17 3968]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-7-13 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-7-13 74480]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [2010-1-10 206608]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\b.tmp --> c:\windows\system32\B.tmp [?]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-4 14336]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-7-13 7408]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [2010-1-10 206608]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2010-6-27 312152]
=============== Created Last 30 ================
2010-11-29 08:58:26 -------- d-----w- c:\windows\system32\NtmsData
2010-11-29 08:56:41 -------- d-----w- c:\docume~1\steven\applic~1\Avira
2010-11-28 13:02:12 -------- d-----w- c:\windows\system32\CatRoot2
2010-11-28 12:52:47 -------- d-----w- c:\program files\ProcessExplorer
2010-11-28 12:27:19 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-11-28 02:10:38 83968 --sha-r- c:\windows\system32\netstat4.dll
2010-11-26 12:23:39 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-11-26 12:23:38 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-11-26 12:17:02 222080 ------w- c:\windows\system32\MpSigStub.exe
==================== Find3M ====================
2010-09-18 19:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 02:36:50 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-18 02:36:50 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
============= FINISH: 2:49:03.06 ===============
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-11-27.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 7/13/2009 4:50:11 AM
System Uptime: 11/29/2010 2:43:17 AM (0 hours ago)
Motherboard: ASUSTek Computer INC. | | Amberine M
Processor: AMD Sempron(tm) Processor 3400+ | Socket 939 | 1989/200mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 186 GiB total, 111.189 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is Removable
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP1: 11/27/2010 7:16:31 PM - System Checkpoint
RP2: 11/28/2010 12:32:06 AM - Revo Uninstaller's restore point - Microsoft Security Essentials
RP3: 11/28/2010 12:44:24 AM - Revo Uninstaller's restore point - Microsoft Security Essentials
RP4: 11/28/2010 4:27:15 AM - Software Distribution Service 3.0
RP5: 11/28/2010 4:34:20 AM - Software Distribution Service 3.0
RP6: 11/28/2010 4:36:40 AM - Software Distribution Service 3.0
RP7: 11/28/2010 6:20:52 PM - Restore Operation
RP8: 11/29/2010 2:40:23 AM - Revo Uninstaller's restore point - Avira AntiVir Personal - Free Antivirus
RP9: 11/29/2010 2:41:43 AM - Revo Uninstaller's restore point - Avira AntiVir Personal - Free Antivirus
==== Installed Programs ======================
Acez All Audio Converter v3.0
Across Lite
Adobe AIR
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.0
Adobe Shockwave Player 11.5
Advanced SystemCare 3
Apple Application Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Audacity 1.2.6
AVG Anti-Rootkit Free
Canon IJ Network Scan Utility
Canon IJ Network Tool
Canon MP Navigator EX 1.1
Canon MX850 series
Canon MX850 series User Registration
Canon My Printer
Canon Utilities Easy-PhotoPrint EX
Canon Utilities Solution Menu
CCleaner
Chinese (Simplified) Language Support
Combined Community Codec Pack 2008-09-21 16:18
Compatibility Pack for the 2007 Office system
Crossword Compiler 8 Demo
Data Fax SoftModem with SmartCP
EasyCleaner
EclipseCrossword
Eraser 5.8.7
Eusing Free Registry Cleaner
Express Rip
Facebook Plug-In
Free Video Joiner 1.1
GoToMeeting/GoToWebinar 3.0.0.198
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
IObit Security 360
Java Auto Updater
Java(TM) 6 Update 21
JDownloader
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Word Viewer 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works 2000
MixPad Audio Mixer
Mozilla Firefox (3.6.4)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
OpenOffice.org 3.1
Presto! PageManager 7.15.20
QuickTime
Rand McNally Route Planner
Realtek AC'97 Audio
Recipe4win
Recuva (remove only)
Revo Uninstaller 1.90
ScanSoft OmniPage SE 4
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows XP (KB923789)
Slice Audio File Splitter
Smart Math Calculator 2.2
Sophos Anti-Rootkit 1.5.4
SpywareBlaster 4.4
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB978506)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB982632)
VC 9.0 Runtime
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 1.1.4
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
WinPatrol
WinRAR archiver
Yahoo! BrowserPlus 2.9.8
Yahoo! Messenger
==== Event Viewer Messages From Past Week ========
11/29/2010 2:43:41 AM, error: Dhcp [1002] - The IP address lease 192.168.2.2 for the Network Card with network address 0015F2A0150F has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
11/29/2010 12:48:18 AM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .
11/29/2010 12:48:18 AM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\Steven\LOCALS~1\Temp\RarSFX0\redist.dll. Reference error message: The operation completed successfully. .
11/29/2010 12:48:18 AM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
11/28/2010 5:07:55 AM, information: Windows File Protection [64018] - Windows File Protection file scan was cancelled by user interaction, user name is Steven.
11/28/2010 5:07:49 AM, information: Windows File Protection [64016] - Windows File Protection file scan was started.
11/26/2010 7:06:54 PM, error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
==== End Of File ===========================